Drept
IS Audit and Controls Quiz
Test your knowledge on IS auditing practices and controls with our comprehensive 77-question quiz. Designed for aspiring auditors, this quiz covers a range of topics including access controls, risk management, data integrity, and compliance.
Key features of the quiz:
- Applicable for various levels of experience
- High-quality, factual questions
- Instant feedback on your performance
Which of the following is an analytical review procedure for a payroll system?
. Performing penetration attempts on the payroll system
Evaluating the performance of the payroll system, using benchmarking software
Performing reasonableness tests by multiplying the number of employees by the average wage rate
Testing hours reported on time sheets
An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:
Accept the level of access provided as appropriate
Recommend that the privilege be removed
. Ignore the observation as not being material to the review
Document the finding as a potential risk
Two servers are deployed in a cluster to run a mission-critical application. To determine whether the system has been designed for optimal efficiency, the IS auditor should verify that:
the security features in the operating system are all enabled
. The number of disks in the cluster meets minimum requirements
The two servers are of exactly the same configuration
. Load balancing between the servers has been implemented
The GREATEST risk when performing data normalization is:
The increased complexity of the data model
Duplication of audit logs
Reduced data redundancy
Decreased performance
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor’s BEST recommendation for the organization?
Continue using the existing application since it meets the current requirements
Prepare a maintenance plan that will support the application using the existing code
Bring the escrow version up to date
Undertake an analysis to determine the business risk
Which of the following is the BEST way to evaluate the effectiveness of access controls to an internal network?
Perform a system penetration test
Test compliance with operating procedures
Review access rights
Review router configuration tables
An IS auditor finds a number of system accounts that do not have documented approvals. Which of the following should be performed FIRST by the auditor?
Have the accounts removed immediately
Obtain sign-off on the accounts from the application owner
Document a finding and report an ineffective account provisioning control
Determine the purpose and risk of the accounts
An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor’s independence?
Verifying the weighting of each selection criteria
Approving the vendor selection methodology
Reviewing the request for proposal (RFP)
Witnessing the vendor selection process
An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?
Cost-benefit analysis
Gap analysis
Risk assessment
Business case
An IS auditor has completed an audit on the organization’s IT strategic planning process. Which of the following findings should be given the HIGHEST priority?
The IT strategic plan was completed prior to the formulation of the business strategic plan
Assumptions in the IT strategic plan have not been communicated to business stakeholders
The IT strategic plan was formulated based on the current IT capabilities
The IT strategic plan does not include resource requirements for implementation
Which of the following would provide the BEST evidence of successfully completed batch uploads?
Sign-off on the batch journal
Using sequence controls
Enforcing batch cut-off times
Reviewing process logs
An IS auditor is conducting a review of a healthcare organization’s IT policies for handling medical records. Which of the following is MOST important to verify?
A documented policy approval process is in place
Policy writing standards are consistent
The policies comply with regulatory requirements
IT personnel receive ongoing policy training
Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processes. However, it is determined that there are insufficient resources to execute the plan. What should be done NEXT?
Remove audits from the annual plan to better match the number of resources available
Reduce the scope of the audits to better match the number of resources available
Present the annual plan to the audit committee and ask for more resources
Review the audit plan and defer some audits to the subsequent year
If concurrent update transactions to an account are not processed properly, which of the following will be affected?
Integrity
Confidentiality
Availability
. Accountability
Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices?
Policies that require instant dismissal if such devices are found
Software for tracking and managing USB storage devices
Administratively disabling the USB port
Searching personnel for USB storage devices at the facility's entrance
An IS auditor finds that a DBA has read and write access to production data. The IS auditor should:
Accept the DBA access as a common practice.
Assess the controls relevant to the DBA function.
Recommend the immediate revocation of the DBA access to production data.
Review user access authorizations approved by the DBA.
What is the primary objective of a control self-assessment (CSA) program?
Enhancement of the audit responsibility
Elimination of the audit responsibility
Replacement of the audit responsibility
Integrity of the audit responsibility
Responsibility and reporting lines cannot always be established when auditing automated systems since:
diversified control makes ownership irrelevant.
Staff traditionally changes jobs with greater frequency.
Ownership is difficult to establish where resources are shared.
Duties change frequently in the rapid development of technology
The GREATEST advantage of using web services for the exchange of information between two systems is:
Secure communications.
Improved performance.
Efficient interfacing.
enhanced documentation.
Applying a digital signature to data traveling in a network provides:
Confidentiality and integrity
Security and nonrepudiation.
Integrity and nonrepudiation
Confidentiality and nonrepudiation.
During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?
A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.
The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices.
Corporate security measures have not been incorporated into the test plan.
A test has not been made to ensure that tape backups from the remote offices are usable.
Which of the following ways is the BEST for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor?
Ensure that automatic updates are enabled on critical production servers.
Verify manually that the patches are applied on a sample of production servers.
Review the change management log for critical production servers.
Run an automated tool to verify the security patches on production servers.
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?
Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.
No recommendation is necessary because the current approach is appropriate for a medium-sized organization.
. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management.
The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the following choices?
Access privileges to confidential files stored on servers
Attempts to destroy critical data on the internal network
Which external systems can access internal resources
Confidential documents leaving the internal network
An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?
Development of an audit program
Review of the audit charter
Identification of key information owners
Development of a risk assessment
What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?
Implement a log management process.
Implement a two-factor authentication.
Use table views to access sensitive data.
Separate database and application servers.
An audit including specific tests of controls to demonstrate adherence to specific regulatory or industry standards is:
A regulatory audit
Financial audit
Integrated audit
Compliance audit
An audit which combines financial and operational audit steps, performed to assess the overall objectives within an organization, related to financial information and assets’ safeguarding, efficiency and compliance, focusing on risk and involving a team of auditors with different skill sets working together to provide a comprehensive report is.
A financial audit
A strategic audit
An operational audit
An integrated audit
An IS audit should focus on data:
Confidentiality, integrity and availability
Confidentiality, integrity and accuracy
Availability, accuracy and confidentiality
Completeness, accuracy, integrity
Audit charter is:
A document approved by those charged with governance that defines the purpose, authority and responsibility of the internal audit activity. It must be approved by the highest level of management or the audit committee.
A formal document which defines an IS auditor’s responsibility, authority and accountability for a specific assignment.
A formal document developed by the auditor
One of the most relevant documents an auditor needs to develop prior starting the audit engagement.
The role of a preventive control is to:
Minimize the impact of a threat.
Detect the occurrence of an error
Detect problems before they arise.
Report the occurrence of an error, omission or malicious act.
The role of a detective control is to:
Prevent an error, omission or malicious act from occurring.
Detect and report the occurrence of an error, omission or malicious act.
Remedy problems discovered by detective controls.
Identify the cause of a problem.
Which of the followings is NOT an IS control objective?
Enhancing protection of data and systems by developing an incident response plan
Supply chain policies, procedures & practices designed to provide reasonable assurance that business objectives will be achieved, and undesired events will be prevented or detected and corrected.
Integrity of general operating system (OS) environments, of sensitive and critical application system environments
Appropriate identification and authentication of users
Risk mitigation could be defined as:
Knowingly and objectively not taking an action, the risk being considered within the risk appetite of the organization’s management.
Avoiding risk by not allowing actions that would cause the risk to occur
Applying appropriate controls to reduce the risk
Transferring the associated risk to other parties
Which of the followings are 4 of the most common audit techniques?
Tests of controls, walkthrough testing, inspection and documentation
Tests of controls, inspection, observation, inquiry and analysis
. Walkthrough testing, inspection, analysis and documentation
Tests of controls, inspection, inquiry and analysis and reporting
. Evidence is any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives and:
Support audit conclusions
Ensure accuracy of data in scope of the audit
Ensure integrity of data in scope of the audit
Have been previously agreed with organization’s management
For which actions is personal data processed?
Making a payment at a POS in a store
Receiving a leaflet on the street for a new Italian restaurant
Making a payment online with a debit card
Logging into an online account
In which scenario can the IT developer company be help liable by the company for which the software was created in case if a data breach?
The IT company did not include a security feature that is considered best practice and state of the art for software and that security feature generated the data breach
The company did not stop access to the database within the software when its employees left the company. Thus, a former employee accessed the database and extracted personal data from there
The software was installed by the company on a cloud server and the default admin username (admin) and password (admin) was not changed. The data breach occurred by exploiting the weak password and default username
The IT company did not include a security feature expressly requested by the company and that security feature generated the data breach
In which scenario is the data controller liable for lack of compliance of the data processor it uses?
The company chosen by the data controller (which is a bank having 1 million clients) has two employees
Data processor uses the data for marketing purposes for other clients of the data processor
No audit was performed by the data controller, even if this has been provided in the agreement between the two as having to be annually performed
No initial analysis was performed by the data controller in relation to the compliance of the data processor with data protection legislation
In which scenario can the IT developer company be held liable by the company ABC for which the software was created in case of a data breach?
ABC notified the IT company that it identified a vulnerability in the software and the IT company did not take steps to solve this issues, even if this obligation was included in the IT development agreement between the two entities. The data breach exploited this vulnerability
ABC notified the IT company about a vulnerability in the software provided by the IT company. The IT company was working on a patch for around 2 months when a data breach occurred by exploitation of that vulnerability. The agreement between ABC and the IT company stated that any vulnerability was to be patched within 1 month as of the date ABC notified the vulnerability to the IT company
In the press, there were discussions around a vulnerability in the software provided by the IT company and used by ABC. The IT company did not take any steps to patch this vulnerability and was not obliged by its agreement with ABC to do so
The data breach occurred by using basic SQL injection, which is a well know type of attack. Best practices mention that this type of attack has to be considered when developing software
The data of which data subjects is protected by data protection legislation?
Companies
Individuals (natural persons) who are clients of companies
Employees
Public authorities
Which of the following represents processing of personal data?
Archiving personal data as per the legal obligations on archiving
Collecting IP addresses that cannot be traced back to the actual users
Collection of identification information for new clients
Transfer of personal data to another company in the same group
Which of the following is covered by software copyright?
Operating system source code
Object code
Documentation related to the software developed
Mobile app source code
Which of the following statements are true?
Pseudo-anonymised data can still lead to the identification of an individual or can make an individual identifiable
Profiling of individuals is forbidden by legislation
Any automated decision based on profiling is forbidden by legislation
Pseudo-anonymised data can be obtained by deleting some attributes of an individual that are included in a table containing details of an individual
Which of the statements about NDAs are true?
The NDA is usually signed before confidential data is accessed by the signatories
Confidential data is expressly defined by law and does not need to be detailed in the NDA agreement
An NDA details the persons to whom the NDA applies
The implementation of the clauses in the NDA should be monitored
Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable? (Single Choice)
Test the adequacy of the control design
Test the operational effectiveness of controls.
Focus on auditing high-risk areas.
Rely on management testing of controls.
Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST: (Single Choice)
Include the statement from management in the audit report.
Verify the software is in use through testing.
Include the it in the audit report.
Discuss the issue with senior management because it could have a negative impact on the organization.
Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? (Single Choice)
Complexity of the organization's operation
Findings and issues noted from the prior year
Purpose, objective and scope of the audit
Auditor's familiarity with the organization
Which of the following does a lack of adequate controls represent? (Single Choice)
An impact
A vulnerability
An asset
A threat
Which of the following is the PRIMARY requirement in reporting result of an IS audit? The report is: (Single Choice)
Prepared according to a predefined and standard template.
Backed by sufficient and appropriate audit evidence.
Comprehensive in coverage of enterprise processes.
Reviewed and approved by audit management.
Untitled The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to: (Single Choice)
Inform the audit committee of the potential issue.
Review audit logs for the IDs in question.
Document the finding and explain the risk of using shared IDs.
Request that the IDs be removed from the system.
An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the result will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? (Single Choice)
Publish a report based on the available information, highlighting the potential security wealmesses and the requirement for follow-up audit testing.
Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.
The PRIMARY objective of performing a post incident review is that it presents an opportunity to: (Single Choice)
improve internal control procedures.
Harden the network to industry good practices.
Highlight the importance of incident response management to management
Improve employee awareness of the incident response process.
Internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? (Single Choice)
Development of an audit program
Review of the audit charter
Identification of key information owners
Development of a risk assessment
A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: (Single Choice)
Length of service, because this will help ensure technical competence.
Age, because training in audit techniques may be impractical.
IT knowledge, because this will bring enhanced credibility to the audit function.
Ability, as an IS auditor, to be independent of existing IT relationships.
Which of the following constitutes personal data for an insurance company?
Percentage establishing the likelihood of a specific client to purchase a life insurance in the next 6 months
Internal client number from a database table
Percentage of clients that have had incidents falling under their insured events
Leads (contact details of individuals interested in purchasing products) received from an insurance broker
In which of the following situations is personal data processed?
Calculation by a bank of percentage of client that have requested assistance with configuring their internet banking
Fixing bugs in a production environment by using a VPN connection
Offering physical archiving solutions to companies
Offering cloud storing solutions for a company’s Power Point presentations for clients about its new software solution features and containing technical details
Which of the following actions represent processing of personal data?
Holding all data from the group of companies on one server located in Hungary
The IT support team is remediating issues on user laptops by using Remote Desktop Windows
Client A is a client of both company X and company Y (which are part of the same group of companies). The two companies share between themselves data about the client.
Company X is sending monthly reports about each of its clients to its mother-company (company Y)
Which of the following entities are data processors?
A company that performs payroll services (payment of salaries to employees)
A bank for payments made through its internet banking application
A training company (that offers training to employees of companies) for attendee details provided by the employer of the attendees
A travel agency for the services offered (travel arrangements) for a company
Which of the following represent anonymized data by reference to the described database?
The field name is transformed into “AAA” for all clients in a database including only this attribute and the favorite type of chocolate for each individual
The unique national identification number (in Romanian: CNP) is transformed into a random number in a patient database that contains only this attribute and the disease from which the individual suffers
The email addresses are scrambled within a database containing only email addresses, first and last names of individuals
Which of the following represent pseudonymised data?
Replacing the unique national identification number (in Romanian: CNP) with a random number in a database containing 10 attributes about an individual
Hashing with MD5 the email address of a client in the database of an online store
The tokens stored on an user device and used by an internet banking application during the authentication step
Who are the data subjects whose personal data is processed in the following scenario/data processing activity: John applies for a loan from a bank and provides to the bank the following requested information: he has relatives working as employees in the bank (in this case yes, his uncle), information about himself, his wife and his children?
The bank
John
John’s uncle
John’s wife
Why is the location (country) of the servers holding data important?
Storing data outside the EU may be subject to additional requirements
Storing data outside the EEA is prohibited by the GDPR
A company can only store data outside the EU on the servers of an EU company
The need for standard model clauses may need to be analyzed if data is transferred outside the EU
What is the processing basis for the following situation: John Smith purchased a laptop from Retail Store. The Retail store inform John Smith via email when it obtained the laptop from its supplier and details about the delivery process/status?
Contract
Legitimate Interest
Public Interest
Consent
What is the processing basis for the following situation: John Smith discussed with an insurance broker that he wants an insurance from InsuranceCo Inc, but is not sure about what insurance to opt for. The insurance broker send this information to InsuranceCo Inc in order for InsuranceCo Inc to contact John Smith with details about offers?
Consent
Contract between the insurance broker and the insurance company
Legitimate interest
Legal obligation
Which of the following represent a proper implementation of the transparency principle for account creation in a mobile app?
The information notice is only located in the legal section of an app
A link to the information notice is shown in the account registration process next to an unchecked tick box
Only an email is sent to the user after the account is created
The text of the information notice is shown in the account registration process in a screen. After scrolling down, the user can click next and continue the registration process.
How can the right of erasure (deletion) under the GDPR be implemented properly by Company A?
When a client requests deletion of his data from Company A IT systems, in all cases, all data has to be deleted
When the retention period for a specific data processing purpose is reached, the data is deleted
When an IT system is decommissioned, the data stored in it has to be deleted
The data has to be deleted 10 years after the contract with the individual ceased/was terminated/closed
Which of the following represent the proper implementation of the data minimization principle?
Each department within Company A has access only to the personal data needed for its professional tasks within Company A
An IT vendor working on FitApp has the credentials for a production environment containing multiple apps of Company A in order to perform maintenance for FitApp -
The data from a social media account is automatically backed-up by the application to the cloud storage account of the user
Who own copyright in the following scenario: the employees of a company create a software according to the purpose established by their employer (Company A) and no reference to copyright is included in the agreement between employees and Company A?
The employees that worked on the software
Out of the employees, only the software developers that worked on the software
Company A
Both the employees and Company A
Who own copyright in the following scenario: individuals that are co-contractors of a company (Company A) (not employees) created a software within the purpose established by Company A. Copyright aspects are not included in the agreement between Company A and such cocontractors?
The individuals (co-contractors of Company A) that worked on the software
From the individuals (co-contractors of Company A), only the software developers that worked on the software
Company A
Both the individuals (co-contractors of Company A) and company A
Who owns copyright over the software in the following scenario: Company B created a software for Company A, as per the requirements of Company A? No provisions about copyright are included in the agreement between Company A and Company B.
Company A
Company B
Company A and Company B jointly
What elements should be included in an NDA from the below?
Definition of confidential data
Entity that holds the copyright over the software
Duration of the confidentiality obligation
Exclusions from the definition of confidential data – e.g. Publicly available data
From a data protection perspective, how should testing of a software be generally performed?
Using synthetic data
Using anonymized data
Using pseudonymised data
Using production data
Which of the following is protected by the copyright over software and databases for a software?
Functionality of the software
Interface design/UX/UI
Compiled source code
User manuals for the software
Which actions cannot be performed by Company A (that licensed a software for its own use) without the consent of the copyright owner?
Creating a software with the same functionalities in the same order and format
Distributing the software to other entities in the same group as Company A
Analyzing the software to understand the functioning principles
What does copyleft mean?
Transferring copyright to the software development company
Permitting the free use of software by third parties without any obligations
Permitting the free use of software by third parties provided they comply with the initial license terms
{"name":"Drept", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on IS auditing practices and controls with our comprehensive 77-question quiz. Designed for aspiring auditors, this quiz covers a range of topics including access controls, risk management, data integrity, and compliance.Key features of the quiz:Applicable for various levels of experienceHigh-quality, factual questionsInstant feedback on your performance","img":"https:/images/course7.png"}